sectoprat | 3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe
Size

5.7MB
MD5

0a8cc5c964c43f0ed0170ead67c4602d
SHA1

1048b45bb59628ead5cffab099f217f422c25c9a
SHA256

3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8
SHA512

100f1ab123172a09ebe232a4e22dbcda66294df9259c18da7fabee2c072ef8489a9ad473c47ca48ca7d712249f3b09ce44508fe16e4ff0e23b0a47dd34b92daa
SSDEEP

98304:WeQvusTfg5ngazFFo6gy4ve6ZkD81Jo12b5DwqFapmkv:WeKdTfglgazFFofy4v1MEipqIj

Score

10^/10

sectoprat zgrat rat trojan

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1536-1-0x00000000003F0000-0x000000000099E000-memory.dmp	family_zgrat_v1

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2308-22-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Loads dropped DLL 1 IoCs

Processes:

3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe

pid process

1536 3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe

pid	process
1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe

description	pid	process	target process
PID 1536 set thread context of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1232 1536 WerFault.exe 3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1860 powershell.exe
1860 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

InstallUtil.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2308 InstallUtil.exe
Token: SeDebugPrivilege 1860 powershell.exe

pid	pid_target	process	target process
1232	1536	WerFault.exe	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe

pid	process
1860	powershell.exe
1860	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2308	InstallUtil.exe
Token: SeDebugPrivilege	1860	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe

description	pid	process	target process
PID 1536 wrote to memory of 460	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 460	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 460	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 988	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 988	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 988	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 4892	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 4892	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 4892	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 2308	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	InstallUtil.exe
PID 1536 wrote to memory of 1860	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	powershell.exe
PID 1536 wrote to memory of 1860	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	powershell.exe
PID 1536 wrote to memory of 1860	1536	3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe
"C:\Users\Admin\AppData\Local\Temp\3a45c34fcd2c22c52eaf7b11e1b76b6895043f1c714d0674e0666493d39e55e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:4892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'Live_stream_from_cosmos_events_app';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'Live_stream_from_cosmos_events_app' -Value '"C:\Users\Admin\AppData\Local\Live_stream_from_cosmos_events_app\Live_stream_from_cosmos_events_app.exe"' -PropertyType 'String'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 1192
  2⤵
  - Program crash
  PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1536 -ip 1536
1⤵
PID:740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1odb4od.rxn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF03.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF35.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/1536-15-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1536-0-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1536-6-0x0000000005360000-0x0000000005368000-memory.dmp

Filesize
32KB

Download
memory/1536-1-0x00000000003F0000-0x000000000099E000-memory.dmp

Filesize
5.7MB

Download
memory/1536-8-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1536-2-0x0000000005370000-0x000000000540C000-memory.dmp

Filesize
624KB

Download
memory/1536-3-0x0000000005310000-0x000000000532A000-memory.dmp

Filesize
104KB

Download
memory/1536-53-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1536-16-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1536-19-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1536-18-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1536-17-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/1536-20-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1536-21-0x0000000007560000-0x0000000007660000-memory.dmp

Filesize
1024KB

Download
memory/1536-4-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1536-24-0x00000000079B0000-0x0000000007A42000-memory.dmp

Filesize
584KB

Download
memory/1536-9-0x0000000007000000-0x0000000007192000-memory.dmp

Filesize
1.6MB

Download
memory/1536-5-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/1536-7-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1860-52-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/1860-31-0x00000000051E0000-0x0000000005808000-memory.dmp

Filesize
6.2MB

Download
memory/1860-37-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/1860-75-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1860-72-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1860-34-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1860-35-0x0000000005120000-0x0000000005142000-memory.dmp

Filesize
136KB

Download
memory/1860-32-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1860-46-0x0000000005B10000-0x0000000005E64000-memory.dmp

Filesize
3.3MB

Download
memory/1860-29-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/1860-38-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1860-28-0x00000000027A0000-0x00000000027D6000-memory.dmp

Filesize
216KB

Download
memory/1860-51-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/2308-50-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/2308-44-0x0000000006D20000-0x000000000724C000-memory.dmp

Filesize
5.2MB

Download
memory/2308-27-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

Filesize
64KB

Download
memory/2308-22-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2308-36-0x00000000059A0000-0x0000000005A16000-memory.dmp

Filesize
472KB

Download
memory/2308-30-0x0000000005AC0000-0x0000000005C82000-memory.dmp

Filesize
1.8MB

Download
memory/2308-33-0x00000000057E0000-0x0000000005830000-memory.dmp

Filesize
320KB

Download
memory/2308-23-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2308-76-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download